The average time between a breach and its detection is 197 days. That's not because attacks are invisible — it's because most organizations don't know what to look for.
Here are the signals that indicate your site has already been compromised.
1. Unexpected Redirects
If visitors are being sent to pharmaceutical sites, gambling pages, or other domains you don't control, your site has been injected with malicious redirects. This often happens through compromised plugins, injected JavaScript, or modified .htaccess files.
Check your source code for unfamiliar script tags. Check your server configuration for redirect rules you didn't write. Check your DNS records for unauthorized changes.
2. Google Search Console Warnings
Google is often the first to notice. If Search Console flags your site for malware, phishing, or "hacked content," take it seriously. Google's crawlers see your site more frequently than you do.
Even without a formal warning, check your search results. Search site:yourdomain.com and look for pages you didn't create — especially pages in other languages or with pharmaceutical/gambling content.
3. Unexplained New User Accounts
Check your admin panel for user accounts you don't recognize. Attackers create backdoor accounts immediately after gaining access. These accounts often have administrator privileges and innocuous-looking usernames.
If you find one, don't just delete it. You need to understand how it was created, because the vulnerability that allowed it still exists.
4. Modified Core Files
Your CMS core files, theme files, and plugin files should only change when you update them. If file modification timestamps don't match your deployment schedule, investigate.
Use file integrity monitoring or compare your production files against a known-good copy. Pay special attention to functions.php, wp-config.php, index.php, and .htaccess (or their equivalents in your stack).
5. Outbound Connections You Don't Recognize
Your server shouldn't be making HTTP requests to domains you've never heard of. Monitor outbound traffic for connections to unfamiliar IPs or domains. Compromised servers are frequently used to send spam, mine cryptocurrency, or participate in DDoS attacks.
Check your server's cron jobs for entries you didn't create. Check running processes for anything unfamiliar. Check network connections with netstat or ss.
6. Performance Degradation Without Explanation
If your site suddenly becomes slower without a traffic spike or deployment change, consider that something else is consuming resources. Cryptominers, spam relays, and data exfiltration all consume CPU, memory, and bandwidth.
Monitor your server's resource usage over time. A sudden baseline shift without a corresponding change on your end is a red flag.
7. Email Delivery Problems
If your domain's emails start landing in spam or getting rejected, check whether your IP or domain has been blacklisted. Compromised servers are frequently used to send spam, which gets your legitimate email infrastructure flagged.
Check your SPF, DKIM, and DMARC records. Check blacklist status at MXToolbox. If your server is sending email you didn't authorize, you have a problem that extends beyond email.
What to Do If You Find Something
Don't panic, but move fast.
1. Isolate: Take the affected system offline or restrict access 2. Preserve: Copy logs and filesystem state before making changes — you need evidence 3. Investigate: Determine the entry point, what was accessed, and what was changed 4. Remediate: Patch the vulnerability, remove the attacker's access, rotate all credentials 5. Monitor: Watch for re-entry attempts — attackers frequently return through secondary backdoors
If you suspect a compromise and need professional help, contact us for incident response.